Skill

azure-role-selector

Guide users to the correct Azure RBAC role for their identity and permissions requirements, following least-privilege principles. Use when a user asks which role to assign, needs help finding a built-in role, wants to create a custom role, or needs to understand Azure role assignments and permissions.

From azure

Install

Run in your terminal

npx claudepluginhub atc-net/atc-agentic-toolkit --plugin azure

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

LICENSE.txt

Skill Content

Azure Role Selector

Help users find and assign the correct Azure RBAC role with least-privilege access.

Workflow

Gather requirements — Ask what permissions the identity needs and on which resource scope (management group, subscription, resource group, or resource)
Search built-in roles — Use Azure MCP/documentation to find built-in roles matching the required permissions
Evaluate fit — Compare the role's permissions against what the user needs. Prefer the most restrictive role that covers all requirements
Custom role if needed — If no built-in role matches, use Azure MCP/extension_cli_generate to create a custom role definition with only the required permissions
Generate assignment — Use Azure MCP/extension_cli_generate to produce the CLI commands for the role assignment, and Azure MCP/bicepschema + Azure MCP/get_bestpractices to provide a Bicep snippet

Key Principles

Least privilege — Always recommend the most restrictive role that satisfies the requirements
Prefer built-in roles — Only suggest custom roles when no built-in role is a good fit
Scope matters — Assign at the narrowest scope possible (resource > resource group > subscription > management group)
Avoid Owner/Contributor unless explicitly justified — suggest more specific roles first

Common Role Categories

Category	Example Roles	When to suggest
Read-only	Reader, various *Reader roles	View access only
Data plane	Storage Blob Data Contributor, Key Vault Secrets User	Access to data within a resource
Operator	VM Contributor, Network Contributor	Manage specific resource types
Security	Security Reader, Security Admin	Security-related tasks
Monitoring	Monitoring Reader, Log Analytics Reader	Observability tasks

Tools

Azure MCP/documentation — Search for role definitions and permissions
Azure MCP/bicepschema — Generate Bicep code for role assignments
Azure MCP/extension_cli_generate — Generate CLI commands or custom role definitions
Azure MCP/get_bestpractices — Get RBAC best practices

Similar Skills

payload

11 files

Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.

41.4k

data-quality-frameworks

Implement data quality validation with Great Expectations, dbt tests, and data contracts. Use when building data quality pipelines, implementing validation rules, or establishing data contracts.

32.2k

airflow-dag-patterns

Build production Apache Airflow DAGs with best practices for operators, sensors, testing, and deployment. Use when creating data pipelines, orchestrating workflows, or scheduling batch jobs.

32.2k

Stats

Parent Repo Stars0

Parent Repo Forks1

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README